---
title: "How to sync third party apps"
---

<Steps>
    <Step title="Add the required variables in your `.env` file">
        1. `CALCOM_WEBHOOK_SECRET`
            - You can generate this by running `openssl rand -base64 32`. This is required when sending 3rd party app credentials from your platform to your instance of Cal.com.
        2. On your self-hosted instance of Cal.com visit settings/admin/apps under an admin account. Here you can enable/disable apps on Cal.com and set the app keys (client id, client secret, etc.). These keys should match the ones on your platform.
        3. `CALCOM_WEBHOOK_HEADER_NAME`
            - The header name is expected to contain the webhook secret. The default is `calcom-webhook-secret`
        5. `CALCOM_CREDENTIAL_SYNC_ENDPOINT`
            - The endpoint on your platform that your instance of [Cal.com](https://Cal.com) will make a request to if the 3rd party app credentials are expired.
        5. `CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY`
            - When sending 3rd party app credentials between your platform and your instance Cal.com, we expect these to be encrypted using AES256. When you encrypt the 3rd party app credentials, ensure the same key is used.

    </Step>
    <Step title="Sending credentials to your cal.com instance">
        When a user adds a 3rd party app on your platform, you should send the credentials that are created to your instance of [Cal.com](http://Cal.com) to `${CALCOM_WEBAPP_URL}/api/webhook/app-credential` . The payload should contain the following

        ```javascript
        {
        // UserId of the Cal.com user
        userId: number;

        // The app slug that is on Cal.com.
        // Can be found in the Cal.com database in the App table
        appSlug: string;

        // The credentials from the 3rd party app. (ex. Access token, refresh token).
        // Ideally it should contain the access token and expiry date
        // AES256 encrypted with CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY
        keys: string;
        }
        ```
    </Step>
    <Step title="Refreshing credentials">
        When [Cal.com](https://Cal.com) needs to refresh the app credentials it will make a request to `CALCOM_CREDENTIAL_SYNC_ENDPOINT`. The request contains the following.

        ```javascript
        {
        calcomUserId: string;
        // App slug on Cal.com
        appSlug: string;
        }
        ```
    </Step>
</Steps>


<Note>
This only works if you have integrated [Cal.com](https://cal.com/) into your platform. Users **must** consent to give access to your platform, and you are simply using [Cal.com](http://cal.com/)'s code within your platform.
</Note>
